CORS, IIS and WebDAV
The most common problem encountered when trying to get CORS working in IIS is WebDAV. WebDAV is installed as both a module and a handler. It wants to process OPTIONS requests but doesn’t know what to do for CORS (especially if you’re using the CORS support from Thinktecture.IdentityModel). The fix is to remove both the module and handler in web.config.
The other common problem when using the CORS support from Thnktecture.IdentityModel is that the handler for .NET code (the ExtensionlessUrlHandler) by default only allows GET, POST, HEAD and DEBUG methods. We want it to also process OPTIONS, so this needs to be configured. Fortunately in the MVC 4 templates this is configured automatically, but if you’re doing something other than MVC 4 then you will have to configure it yourself.
Here’s what your web.config should look like to disable WebDAV and allow OPTIONS for the ExtensionlessUrlHandler:
<system.webServer> <modules runAllManagedModulesForAllRequests="true"> <remove name="WebDAVModule" /> </modules> <handlers> <remove name="WebDAV" /> <remove name="ExtensionlessUrlHandler-ISAPI-4.0_32bit" /> <remove name="ExtensionlessUrlHandler-ISAPI-4.0_64bit" /> <remove name="ExtensionlessUrlHandler-Integrated-4.0" /> <add name="ExtensionlessUrlHandler-ISAPI-4.0_32bit" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS" modules="IsapiModule" scriptProcessor="%windir%\Microsoft.NET\Framework\v4.0.30319\aspnet_isapi.dll" preCondition="classicMode,runtimeVersionv4.0,bitness32" responseBufferLimit="0" /> <add name="ExtensionlessUrlHandler-ISAPI-4.0_64bit" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS" modules="IsapiModule" scriptProcessor="%windir%\Microsoft.NET\Framework64\v4.0.30319\aspnet_isapi.dll" preCondition="classicMode,runtimeVersionv4.0,bitness64" responseBufferLimit="0" /> <add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0" /> </handlers> </system.webServer>
HTH
brockallen 
Thanks for the post. I was having issues with this earlier. In my scenario I was able to get this working with this config: http://screencast.com/t/SkyQIW7V9ltZ
In your example you have the additional handler removed for WebDAV. Can you tell me the difference from your config to the one in my screen shot?
I appreciate the help. Thanks much.
Seems that the only diff if the “runAllManagedModulesForAllRequests”. This just means to run the .NET HTTP modules for all requests including static files and non-.NET handlers. I don’t know if you need this either way — depends upon what modules you need. But I think it’s unrelated to CORS, because any CORS request would map to .NET code (at least if you’re talking about the Thinktecture.IdentityModel CORS implementation).
Are you still having problems?
It’s working now with the config from my screen shot. Although I might try your config. At this point I’m really just trying to understand it better.
At first I just had the WebDav Module removed. This only worked in IIS8. In IIS 7.5 something was still handing the “OPTIONS” verb and it would get no where near my custom handler or your IdentityModel Cors handler.
To get it work in IIS 7.5 I did as follows:
a) Removing the WebDav module.
b) set runAllManagedModulesForAllRequests = true.
(I did not have WebDAV handler removed as in your example above, but I would like to try that).
Yea, I suspect it’s the WebDAV handler — I wrote this post from testing on my Win7 test VM and I had to remove both the handler and module. The “runAllManagedModules” setting is unrelated, IMO.
Just thought I would chime in. I tried setting up my web.config exactly like above, but I couldn’t get this issue resolved until I added the runAllManagedModulesForAllRequests = true like gmetzker pointed out. I’m running in IIS8 on Server 2012.
Good post. But it doesn’t work in my situation. I use WebApi as server-side and MVC 4 as client-side. In WebAPI app i added Thinktecture.IdentityModel and removed WebDAV module and handler in web.config. From MVC client-side i send DELETE request method from jQuery ajax. Fiddler showed that OPTION request returned 200 OK and nothing more. Browser showed jQuery error: Origin “mysite” is not allowed by Access-Control-Allow-Origin. I don’t understand in what may be a bug.
Thank. Sorry for bad english.
@Mike — there’s also an OPTIONS http handler — maybe this is also getting in the way?
Hi Brock I realise this is a while since you were discussing, but I just cannot get my configuration right. I have tried all the configs above but whenever i test communication (usually using test-cors.org or similar) it gets refused saying origin not allowed. I have set the cors configuration to Allowall so I can get it working and worry about refining it later but to no avail.
I am using webapi server side and then using test-cors.org to test communication with it. When I could not get it working with the full version of my app i created a couple of test projects with only the simple basics in place, using Thinktecture to provide CORS handling.
I was following through the comments and just wondered if you could give any advice regarding your mention of the OPTIONS handler (since I have tried everything else mentioned) ?
Sorry, it’s very hard for me to tell given that there are so many environmental variables.
Everything worked like a charm from your code in localhost asp.net. But didn’t work in IIS8 I finally figured out the error causing the problem.
<!–
The above config settings was overwriting the CORS from Thinktecture and I commented it. It started working.
Thanks
under
in my web.config
I’ve tried with a minimal MVC project, with a the Thinktecture CORS library. My web.config is as specified on top of the post disabling WebDAV – and the Global.asax.cs extended with CORS registration (the sledgehammer version :)).
But still my test project doesn’t respond with CORS headers. I’ve tried this in IIS developer context as well as IIS 8 context. Same result. I’m testing my headers with a HTTP REST posting tool (Postman).
What might be wrong?